In general, the Rule holds accountable those entities who are not otherwise covered by the Health Insurance Portability and Accountability Act (HIPAA) when their customers' unsecured health information is compromised.
Up to this point, the FTC has not typically enforced the Rule relative to mobile health apps. However, given the recent proliferation of digital health resources, such as those that track diseases, treatment, fitness, fertility, sleep, mental health, and diet, and their somewhat unrestrained collection and use of consumer data, the FTC took this most recent step to make clear that mobile health apps are generally considered to provide health care services or supplies as it relates to personal health records and, as such, are subject to the Rule. Pursuant to the Policy Statement, a personal heath record is an electronic record that can be drawn from multiple sources.
So, according to the FTC, if a mobile health app draws such consumer-sensitive health information from multiple sources – such as a through a combination of consumer inputs and application programming interfaces (APIs) – or even through a combination of both health and non-health sources (such as consumer input coupled with the data supplied by the consumer's phone), they are subject to the Rule. Consequently, any time that mobile health app discloses or shares health information without user authorization, the Rule's breach notification requirements are triggered.
In order to comply with this most recent guidance and to ensure alignment with the FTC's commitment to the protection of consumer data, developers offering mobile health apps and related digital health resources should integrate the FTC's recommended best practices for the protection of consumer data and the related laws governing those resources.